RTF malware analysis — malicious · 7d1f26f059f730ba

MALICIOUS

RTF

5.77 MB Created: 2018-05-30 02:03:00 First seen: 2019-01-12

MD5: 031a9dd69241ab6cbb052dcaa4cb75cc SHA-1: 91ef6fcd481eba9fba731b7f4db191ad95fc11fa SHA-256: 7d1f26f059f730bab5e17314c5974591ad03c7883d0ec7558d76f0efad5cf196

302 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The RTF file contains multiple embedded OLE objects, including a package object, with significant amounts of hex-encoded data. The critical CVE-2017-8759 heuristic indicates exploitation of MSXML SAX OLE activation, likely to execute a payload hidden within the embedded objects. The extracted artifacts suggest the presence of potentially malicious binary content.

Heuristics 9

CVE-2017-8759 — MSXML SAX OLE activation critical CVE likely CVE_2017_8759

RTF contains a hex-encoded OLE1 object for Msxml2.SAXXMLReader.6.0 followed by an embedded OLE compound document, and the document requests OLE activation. This matches the RTF staging shape used for CVE-2017-8759 SOAP/WSDL parser code injection.
Automatically linked OLE object high RTF_OBJAUTLINK

RTF contains \objautlink — an automatically linked OLE object surface that can be updated or activated when Word opens the document.
\objupdate forces OLE activation high RTF_OBJUPDATE

RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
Package object class high RTF_OBJCLASS_PACKAGE

OLE Package object — can wrap arbitrary files
Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX

RTF contains ~5102KB of hex-encoded data inside \objdata sections — may hide a payload
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
OLE object data medium RTF_OBJDATA

RTF contains 3 \objdata section(s) — embedded OLE objects
Embedded OLE object medium RTF_OBJEMB

RTF contains \objemb — embedded OLE object
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.microsoft.com/office/word/2003/wordml In RTF body

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objdata_00_off00002ae8.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x2AE8	2531204 bytes
SHA-256: `be77329e8b38525dfd08e420c5109c464cef8deaec93b490c74617fe455c71f9`
Detection ClamAV: No threats found Obfuscation or payload: likely Static shellcode analysis recovered command string(s): MshTAcHPIrM6Pks7el+PS0+9gp8ME8hzSwfEXdAjLgOv8xvhpBMq4/F1ii2Taoeh/zl5GHrW6sDNswNkT3Wx3TCAjdp7+EvpuGawcZJlPjOix22IejoSE6gmpXOpUDBoxL3YooGRRM+L1S+EupozZgt4QXPQqL5y59p/z
`objdata_01_off004e7c9a.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x4E7C9A	1326 bytes
SHA-256: `25b7dc6e3e330bd7c31a8e60e94368f16199486b7bea52989071ba6d3923e68c`
Detection ClamAV: No threats found Obfuscation or payload: likely Static shellcode analysis recovered command string(s): WScript.Shell", wscript.exe /nologo %temp%/String.fromCharCode(102, 111, 110, 116, 115, 46, 118, 98, 115)" Carved artifact contains 2 shell/COM execution token(s).
`objdata_02_off005b85ed.bin`	rtf-objdata-decoded	RTF \objdata at offset 0x5B85ED	3480 bytes
SHA-256: `4747f85d39234b33712684cbdc9a52700082e7aedfbdf7393968ddab5ef53c2c`

Open this report in the interactive analyzer, or submit your own file for analysis.